the Chromium logo

The Chromium Projects

Trusted Platform Module firmware vulnerability: technical documentation

Vulnerability description

There is a bug in certain Infineon TPM firmware versions which results in RSA keys generated by the TPM being vulnerable to an attack that allows to recover the private half of the RSA key from just the public key. The researchers who found the vulnerability have published high-level information here: Currently known exploits are computationally expensive; specifically, for RSA keys of bit size 2048, the researchers give an estimate of 140.8 CPU years to break a single key. Note that this figure might drop as more researchers look at the attack. At the current point in time, it means TPM-generated RSA keys can't be broken at large scale, but targeted attacks are possible. To summarize: There exists a practical attack against TPM-generated RSA keys, but it doesn't allow large-scale exploitation of Chrome OS devices.

Impacted features

Chrome OS relies on TPM-generated RSA keys for a number of features:

Slowing down brute-force attacks against encrypted user data. The page
[Protecting Cached User
describes this in more detail. The vulnerability allows the attacker to
brute-force the encryption key (bit size 2048) off-device. However, note
that off-device brute-force attacks are only advantageous against strong
passwords - weak passwords are still less expensive to brute-force against
the TPM regardless of whether it runs vulnerable firmware or not.

Hardware-backed encryption keys / certificates. Chrome OS allows users to
generate and import RSA keys that are protected by the TPM so the main OS
can't access the private key. These keys are typically accompanied by a
certificate and then used in network authentication, such as WPA2-EAP, HTTPS
client authentication, etc. The vulnerability allows attackers to determine
the private key. The bit size of generated and imported keys depends on
parameters. The bit sizes supported by Chrome OS for TPM-backed keys are
1024 or 2048. You can check key sizes for certificates backed by TPM keys at

Chrome OS [Verified
Access]( allows network
services to verify client device integrity and identity. TPM-generated RSA
keys (bit size 2048) are used in the certification process. Attackers can
exploit the vulnerability to break an "Attestation Identity Key", which
allows them to impersonate a legit device from an endpoint of their choice.


In Chrome OS M60, we strengthened Chrome OS user data protection using the scrypt password hashing scheme to act as a second line of defense even in case the brute-force protection afforded by the TPM is lost. Users were automatically upgraded to the new scheme behind the scenes without user-observable effects. This measure guarantees adequate protection of encrypted user data for users that use strong passwords. If your password isn't strong, now is a good time to fix this - the risk involved with using a weak password generally transcends Chrome OS and affects other places that store sensitive data.

For hardware-backed encryption keys and Verified Access, mitigations are technically infeasible without losing the hardware binding, and thus breaking the feature. The only supported path to restore the designed security strength for these features is to update TPM firmware.

See below for advice on whether and when to update TPM firmware.

Affected TPM firmware versions

You can check the TPM firmware running on your device by looking at the firmware_version line of the tpm_version entry in chrome://system. If the tpm_version entry is absent, this is likely because you are running an old Chrome OS version which doesn't report this information. Upgrade to a newer version and check again.

Vulnerable firmware versions used on Chrome OS are (listing the firmware_version value from chrome://system as well as the human-readable version number):

Fixed firmware versions are as follows:

Affected devices

With the exception of older devices that use the Infineon SLB 9635 TPM, all Chrome OS devices that include an Infineon TPM chip are affected. Here is the complete list of affected devices with code names and marketing names:

TPM firmware update

Recent Chrome OS builds of version M61 and later include functionality to install a TPM firmware update on the affected devices. After installing the update, RSA keys generated by the TPM are no longer vulnerable against the attack described above.

Chrome OS versions including the firmware update

The following Chrome OS versions include the TPM firmware update for affected devices (note that chromium OS builds do not contain firmware files):

The one exception is link / Google Chromebook Pixel, for which the TPM firmware update functionality is not enabled yet. There is a problem with firmware update installation on that device, we intend to ship an update with a fix to enable the TPM firmware update as soon as possible.

Things to know about the update process

Installing the TPM firmware update requires a hardware reset of the TPM chip. This means that all data held by the TPM will be discarded. This includes disk encryption keys, implying all user data stored locally on the device will be lost. Thus, you need to carefully backup any important data before you install the update.

We are actively working on ways to allow updated TPM firmware to be installed without losing all data on the device. Launch dates for these non-destructive update flows are not confirmed at this point though.

There is also a risk that the update will fail e.g. due to loss of power while installing the update. See below for more information on how to recover from this situation. You'll need Chrome OS recovery media in order to invoke the recovery flow. You will want to make sure that you either prepare it before starting the TPM firmware update just in case or have another computer available to create recovery media in case you need it.

Deciding whether to install the update

There is no one-size-fits-all advice on whether to install the update or not. As described above, there are inherent inconveniences and risks associated with the update process and a limited set of features is impacted by the vulnerability. In order to help make an informed decision, here is some guidance. If any of the following applies, consider installing the update:

You rely on the highest level of protection that Chrome OS can offer for
your encrypted user data (TPM-backed protection against password
brute-forcing attacks).

You are using hardware-backed encryption keys and corresponding certificates
to access network services such as corporate web sites, VPNs. etc. If you're
unsure you can check the "your certificates" section in
chrome://settings/certificates to see whether you have any hardware-backed

You are using [Verified
Access]( for device
authentication on your enterprise-managed Chrome OS devices. When in doubt,
ask your administrator.

If none of the bullets above apply to you, you don't benefit from the update and can safely skip it, thus avoiding potential complications due to failing updates as described above.

Installing the update

Due to the implied loss of data, users must trigger the update explicitly. To do so, users can opt in to installing the TPM firmware update as part of the factory reset flow also known as "powerwash". Note that for enterprise-managed devices, the powerwash UI is not regularly available. We have added a TPM firmware update device policy though which admins can set to make the TPM firmware update via powerwash available to their users.

The steps are as follows:

Trigger the powerwash flow, either via Ctrl+Alt+Shift+r on the login screen,
or via the powerwash option in chrome://settings > Advanced.

The flow will ask you to reboot unless you have just restarted your device

In the powerwash dialog, there will be a checkbox "Update firmware for added
security." Check it in order to request the TPM firmware update to be
If you don't see a checkbox, this can be due to a number of reasons:

    Your device already runs updated firmware, check chrome://system as
    described above to confirm.

    You are running an older Chrome OS version that doesn't include
    functionality to update TPM firmware. Upgrade to a newer OS version.

Once you click the "Powerwash" button and confirm, the device will reboot.

After the reboot, you'll see a message indicating that the powerwash is in
progress. Wait for it to complete, after which the device will reboot again.

After the second reboot, the device will show a message screen when
installing the firmware update. There is a progress bar that will be updated
as the update progresses. The device will reboot once more after installing
the update.

After the third reboot, you'll see the familiar Chrome OS UI again showing
the out of box experience. Your device is just as new, so you can go through
the setup flow again and then log in as usual.

It’s worth double-checking you are running fixed TPM firmware by checking
the tpm_version entry in chrome://system. See the **Affected TPM firmware
versions** section for details.

Retrying a failed update

There is a risk that the device will no longer boot if the update fails. This happens when the update installation gets interrupted while on the installation progress screen, for example due to power loss. The device will show a screen saying "Chrome OS is missing or damaged". If you press Tab on this screen, you'll see some additional information including a line labelled "recovery_reason". If the boot failure was due to an earlier failed TPM firmware update, you'll likely see "Secure NVRAM (TPM) initialization error" as "recovery_reason".

Devices in this state can be recovered via Chrome OS recovery. Recovery images for versions that have the TPM firmware update (see above) include functionality to retry a TPM firmware update that has previously failed. Follow these steps to recover:

Make absolutely sure that your device is connected to a reliable power
source and has a charged battery (if applicable).

Press Esc+Refresh+Power (keep holding Esc+Refresh for a while after
releasing power) in order to start recovery mode. The device will boot to a
screen that says "Chrome OS is missing or damaged" (older devices) or
"Please insert a recovery USB stick or SD card" (newer devices).

Plug the recovery media.

The device will launch the recovery procedure, starting with verification of
the recovery media.

If the recovery software determines the TPM has encountered a previous
failed update, it will automatically launch the TPM firmware update
installation process. You'll see a screen indicating the update is getting
installed, with a progress bar getting updated as the update progresses.

After successful installation of the update, the device will reboot.
Afterwards, the device should boot to the familiar Chrome OS UI again
showing the out-of-box experience.

Troubleshooting recovery failure

The recovery software will show a screen saying "The security module on this device is not working" if it encounters a bug or a condition that the recovery software is unable to fix. If you see this, you'll want to ask for help either via Chromebook Central Help Forum or via EDU / enterprise support channels (if applicable). There are some important pieces of evidence to gather that are helpful in figuring out the root cause of the failure:

Hold on to recovery media. The recovery software stores diagnostic
information on it, so do not use it for recovery attempts on other devices
and do not overwrite otherwise. The log files can be found on the first
partition under "recovery_logs" and contain a trace of the recovery software
execution flow which is invaluable in tracking down the root cause for the

Take note of the information shown by pressing Tab on the "Chrome OS is
missing or damaged screen" e.g. by snapping a photo. The recovery_reason
line is particularly interesting as it may indicate clues as to what state
the TPM is in.

Subsequent TPM firmware update prompt

Due to a bug in the original implementation of the TPM firmware update flow, a vulnerable Storage Root Key (a key held in the TPM that is used to encrypt other keys) from before the update may remain even after completing the update. This affects a small number of devices that did not finish the TPM firmware update in normal boot mode but only after retry using a recovery image. This can be addressed by performing another powerwash to clear the TPM again and thus regenerate a new Storage Root Key that is not vulnerable. Chrome OS M70 and later will show a one-time system notification saying "Security upgrade available" / "Reset your Chromebook to upgrade your security" for each user to alert of them of the situation. Users should re-evaluate their situation per the advice above to decide whether they want to perform the powerwash, which can be triggered by invoking the firmware update flow again via chrome://chrome.

Manually Updating

If you want to apply the update manually for any reason (e.g. you're using a Chromebook Pixel (link)), here's the steps required.

  1. Put the device into dev mode
  2. If you're already in dev mode, you'll need to Powerwash or go through recovery to reset the TPM back to the correct initial state
  3. Boot the device until you get to the initial OOBE screen (where you select network/etc...)
    • Don't sign in!
  4. Switch to a console by pressing Ctrl-Alt-F2 (the -> key is the same as F2)
  5. Log in using the "root" username (there should be no password)
  6. Type this command (all on one line): dbus-send --system --dest=org.chromium.SessionManager --type=method_call /org/chromium/SessionManager org.chromium.SessionManagerInterface.StartTPMFirmwareUpdate string:first_boot
  7. After a few seconds, the device should reboot
    • If the device doesn't reboot, check /var/log/messages. If it says something about a user already having logged in, go back to step 2.
  8. Press Ctrl-D to boot
  9. Wait for the powerwash step to finish and reboot (should be quick)
  10. Press Ctrl-D to boot
  11. Wait for the installing update step to finish
  12. If the device reboots and takes you back to the login screen, you're done
  13. If you get an error, perform the steps described above to retry a failed update. Note that there is a known issue with original Chromebook Pixel (link) devices:The original TPM firmware version fails installing the firmware update just before completion. The device may or may not boot normally after turning it off and on again. It is critical to go through Chrome OS recovery again to reset the TPM into a good state and flush out all weak keys. You have been warned!
  14. If things still aren't working, then review the troubleshooting sections above